topic Re: How to extract tracktrace field from one search to use in another search? in Splunk Search

How to extract tracktrace field from one search to use in another search?

kenth213 — Fri, 26 Sep 2014 01:58:10 GMT

I have a dashboard/form which takes two field inputs to perform a search and find an appropriate tracktrace.
index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" |rex "(?i)(?P[^<]+)" | table tracktrace

I need to be able to use the tracktrace value from the above search and perform a new search to return a different field which isn't part of the same events returned above e.g.
index=myindex sourcetype="mysource" $tracktrace$ | rex "(?i)(?P[^<]+)" | table myvalue

How would I go about this?

Re: How to extract tracktrace field from one search to use in another search?

sk314 — Fri, 26 Sep 2014 03:12:46 GMT

Have you tried piping it to a search command like so:

index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" | rex "(?i)(?P[^<]+)" | search tracktrace | rex "(?i)(?P[^<]+)" | table myvalue

Re: How to extract tracktrace field from one search to use in another search?

kenth213 — Fri, 26 Sep 2014 03:50:21 GMT

Yes and it wasn't successful. The information I want to ultimately find/display is in a separate event to where I initially pick up the tracktrace value.

As the user wouldn't have the tracktrace to return the required results, the purpose of the form is to find the tracktrace for them from information they do have. Then perform a search based off that tracktrace to return the desired information. Some code was trimmed out of my initial post, but basically:

Search 1 takes two token inputs from text fields and completes the appropriate search to return event that contains the track trace.
The track trace value is then extracted.
I then need to perform another search with this value to find the event with results they are looking for, and extract/display the field.

Re: How to extract tracktrace field from one search to use in another search?

sk314 — Fri, 26 Sep 2014 07:01:54 GMT

Try this instead:

index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" | rex "(?i)(?P[^<]+)" | search tracktrace ="*" | rex "(?i)(?P[^<]+)" | table myvalue

I am assuming token and token2 are populated properly and the rex extraction is named tracktrace. I forgot to add tracktrace="*" in the previous comment.

Re: How to extract tracktrace field from one search to use in another search?

wpreston — Fri, 26 Sep 2014 12:09:00 GMT

If I'm understanding what you want to do, it sounds like a subearch might be the way to go. Something like this?

index=myindex sourcetype="mysource" [index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" |rex "(?i)(?P[^<]+)" | fields tracktrace | dedup tracktrace] | rex "(?i)(?P[^<]+)" | table myvalue

This approach should work great for retrieving a set of events based on values received from another search, as long as the subsearch returns less than 10,500 results. If you're going to have more than 10,500 unique tracktraces, we will need to restructure this search.

Re: How to extract tracktrace field from one search to use in another search?

kenth213 — Mon, 29 Sep 2014 01:37:55 GMT

This is getting closer thanks! Though I have a couple of bumps that need ironing out.

Checking the search job inspector, I can see that it has evaluated the subsearch expression and has found the correct value, and incorporated into my main search - perfect. Though I'm returning no results...doh. I think it might be because the field name I am using.

When I find the track trace initially, it comes from an xml field named , which I was calling tracktrace in my rex. However when I am using that value to find the appropriate logs in my main search the xml field name is .

The subsearch then goes looking for tracktrace="M40GW2014092911354947166" which can't be found.
Can I somehow still use the value/result (M40GW2014092911354947166) from the subsearch and populate that into the main search in a way that it can find the event
i.e. If I just type into search "M40GW2014092911354947166" it would return the correct event.

Or am I naming the field incorrectly that I could do another way? Currently:

rex "(?i)'<'ns2:MessageTrackTrace'>'(?P'<'tracktrace'>'[^<]+)"

without internal ' ' on arrows.

Re: How to extract tracktrace field from one search to use in another search?

kenth213 — Thu, 15 Jan 2015 01:23:56 GMT

Revisted this after Xmas and managed to get this working correctly with sub search. There was an issue with my main search string throwing off my results. Thanks for the help